Hi, Microsoft has proposed to stop issueing new certificates using SHA1 by 2016 in certificates. (http://blogs.technet.com/b/pki/archive/2013/11/12/sha1-deprecation-policy.aspx).
Mozilla also has a bug that even suggest to stop accepting some new certificates in 3 months and stop accepting any in 2017. https://bugzilla.mozilla.org/show_bug.cgi?id=942515 But it's unclear if this is really a policy or just what some people think should happen. This seems to also recently have been discussed in the CA/Browser forum, but I have a feeling not everybody sees the need for this. https://cabforum.org/2013/12/19/2013-12-19-minutes/ I want to point out the that SHA1 is broken for what it is used in certificates. SHA1 should have a collision resistance of about 2^80 but the best known attack reduces this to about 2^60. In 2012 it costs about 3M USD to break SHA-1, in 2015 this will only be about 700K USD. See https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html With a collision it's possible to create a rogue CA. See: http://www.win.tue.nl/hashclash/rogue-ca/ This is only based on what is the best know attack currently publicly known. There might be other attacks that we don't know about yet even further reducing the cost, specialised hardware and so on. This is just waiting to either happen or until someone finds out that it did happen. I would like to encourage everybody to start using SHA2 in certificates as soon as possible, since that's clearly the weakest part of the whole chain. This is more important that stopping to use 1024 RSA keys since they still have a complexity of 2^80. But you really should also stop using that. Can someone please try to convince the CAB forum about the need for this? Kurt _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
